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(57) ABSTRACT 

A method for updating antivirus files on a computer using 
push technology is disclosed. In a preferred embodiment, 
updated virus signature files or other updated antivirus 
information is loaded onto a central antivirus server, while 
local push agent software is installed on the client computer. 
When the user of the client computer is coonecled to the 
Internet, the push agent software operates in the background 
to receive updated antivirus files from the central antivirus 
server across the Internet, in a manner which is substantially 
transparent to the user. In another preferred embodiment, 
antivirus files on a plurality of client computers on a 
corporate computer network are automatically updated 
using push technology and automated network installation 
scripts. A service computer associated with the plurality of 
client computers receives one or batches of antivirus updates 
from a central antivirus server across the Internet using push 
technology. An automatic installation script is executed to 
install the antivirus updates on the client computers of the 
corporate computer network with a minimum of involve- 
ment from a corporate system administrator or, optionally, 
no involvement from the corporate system administrator. 
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METHOD AND SYSTEM FOR PROVIDING application offered for sale in a variety of outlets and forms. 

AUTOMATED UPDATING AND UPGRADING VirusScan™ is accompanied by documentation in printed 

OF ANTIVIRUS APPLICATIONS USING A for™ (sec. e.g., "VirusScan Quick Start Guide'*. McAfee 

COMPUTER NETWORK Associates 1997, accompanying the CD-ROM version of 

5 VirusScan for Windows 95. NT. S-lxi DOS and OS/2), in 
RELATED APPLICATIONS computer-readable form (see, e.g., the directory \MANU- 

ALS on the CD-ROM version of VirusScan for Windows 95, 
This is a continuation of application Ser. No. 09/001.611 NT, 3.1x, DOS and OS/2), and on the World Wide Web at 
filed Dec. 31, 1997, now U.S. Pal. No. 6,035,423. http://svww.mcafee.com. The contents of these documents 

are hereby incorporated by reference into the present appU- 
HELD OF THE INVENTION ^° cation. 

-Die present invention relates gencraUy to computer sys- ^° ^ VirusScan™ application is adapted for 

, ^11 ^ - I *i_ i use on a user s chenl computer runnmg on a Wmdows 95™ 

tems and computer networks. In particular, the present , - , . • j . • ^- • i- 

1^^, , 1* r • * ' • platform. A mam routine used by this antivirus apphcation 

mvcntioa relates to a method and system for maintammg T «or-*xT i-vt-** ci . • . • n i j ■ 

. . ^. . . . ^ L J « IS SCAN .EXE , a program file that is typically placed m 

and updating antivirus apphcations m computers attached to 15 . a' * r \r>iinrDA\A 



a computer network. 



the directory C:\PROGRAM. 

FILES\MCAFEE\VIRUSSCAN on the user's hard drive. 

BACKGROUND OF THE INVENTION program SCAN.EXE is adapted to be used for any of the 

following types of virus scanning: virus scanning of system 

The generation and spread of computer viruses is a major boot-sectors at startup, on-demand vims scanning at the 
problem in modem day computing. Generally, a computer ^ explicit request of the user, and on-access virus scanning of 

virus is a program that is capable of attaching to other a file when that file is accessed by the operating system or 

programs or sets of computer instructions, replicating itself, an application. In the Windows 95™ environment, the 

and performing unsolicited or malicious actions on a com- Registry files are often modified such that SCAN.EXE is run 

puter system. Generally, computer viruses are designed to at computer startup, and also remains resident for scanning 
spread by attaching to floppy disks or data transmissions ^ all files upon file access. 

between computer users, and are designed to do damage ^ typical configuration, VirusScan™ is used in con- 
while remaining undetected. The damage done by computer junction with a set of virus signature files having the names 
viruses may range from mild interference wiOi a program, CLEAN.DAT, MCALYZE.DAT, NAMES.DAT, and SCAN- 
such as the display of an unwanted political message in a .DAT. As of McAfee's Oct. 15, 1997 release of version 3010 
dialog box, to the complete destruction of data on a user's of VirusScan™ signature file updates, these virus signa- 
hard drive. It is estimated that new viruses are created at a (y^e files collectively comprise over 1.6 MB of virus infor- 
rate of over 100 per month. mation. 

A variety of programs have been developed to detect and in a typical configuration, the files CLEAN.DAT, 

destroy computer viruses. As is known in the art, a common MCALYZE.DAi; NAMES.DAT, and SCAN.DAT are also 

method of detecting vimses is to use a virus scanning engine placed in the directory C:\PROGRAM_ 

to scan for known computer viruses in executable files, FILES\MCAFEE\VIRUSSCAN on the user's hard drive, 

application macro files, disk boot sectors, etc. Generally, por purposes of clarity and simplicity in describing the 

computer viruses are comprised of binary sequences called background and preferred embodiments, this disclosure will 

*Virus signatures." Upon the detection of a vims signature refer to a generic antivirus program Antivirus_ 

by the vims scanning engine, a virus disinfection program ApplicatioD.exe" and a generic antivirus signature file 

may then be used to extract the harmful information from the VIRUS_SIGNArURES.DAT. 

infected code, thereby disinfecting that code. Common virus Generally speaking, a recent trend is for manufacturers of 

scanning software allows for boot-sector scannmg upon antivirus applications to update their virus signature files 

system bootup, on-demand scannmg at the explicit request VIRUS_SIGNArLrRES.DAT as new viruses are discovered 

of the user, and/or on-access scanning of a file when that file ^^^^ ^^^^ developed, and to make 

is accessed by the operating system or an application. updated signature files avaUable to users on a periodic 

In order to detect computer vimses, a virus scanning basis (e.g. monthly, quarterly, etc.). For example, an antivi- 

engine is generally provided in conjunction with one or rus program manufacturer may post the update file VIRUS_ 

more files called "virus signature files". The virus scanning SIGNATURES .DAT on a bulletin board system, on an FTP 

engine scans a user's computer files via a serial comparison (file Transfer Protocol) site, or on a World Wide Web site for 

of each file against the viriis signature files. Importantiy, if downloading by users. 

the signature of a certain virus is not contained in any of the pjQ ^ uiustrates one serious problem that arises from the 

virus signature files, that virus will not be detected by the constant onslaught of new v ruses. FIG. 1 shows a flowchart 
vuus scannmg engme. 55 of steps 100 which can occur when a typical user purchases 

By way of example, and not by way of limitation, one and loads an antivirus program equipped with virus signa - 

leading antivirus program and its accompanying vims sig- nire files, but neglects to keep its virus signature files 

nature files is described. It is emphasized that this example current. At step 102, on a first date such as Apr. 1, Year 0 

is presented only for clarity of presentation, and docs not (4/1/00), the user acquires and loads the antivirus applica- 
limit the scope or context of the preferred embodiments to 50 tion Antivirus_^plication.EXE and the signature files 

ceruin software packages, software types, or operating VIRUS_SIGNATURES.DAT, the file VIRUS_ 

system types. Indeed, the preferred embodiments are advan- SIGNATURES .DAT having a last-revised date, for example, 

Ugeously applied to many different types of antivinis soft- of Feb. 1, 2000. At step 104, theAntivirus_AppUcation.exe 

ware programs on many different types of operating systems routine and the VIRUS^SIGNATURES.DAT file are suc- 
and computing configurations. 55 cessfully run on the user's computer. The user, being satis- 

A leading antivirus application, produced by McAfee fled that he or she has adequately protected the computer. 

Associates, is called VirusScan™. VmisScan*™ is a software does not update the VIRUS_SIGNArURES.DAT file. 
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However, in the meantime, as shown in FIG. 1 at step 106, 
on May 15, 2000 a third-party "hacker** develops and begins 
the distribution and spreading of BAD_APPLE.V, a new 
virus which replicates itself and dcstro>'s user data. At step 
108, on Jul. 15, 2000, the antivirus manufacturer who makes 
Antivirus_Application.exe discovers BAD_j\PPLE,V. At 
step 110, that day the manufacmrer develops a fix for 
BAD_^APPLE.V and writes its virus signature (along with 
data to implement the fix) into the next release of VIRUS_ 
SIGNArURES.DAT. At step 112, the antivirus manufacturer 
releases an updated VIRUS_SIGNATURES.DAr dated 
Sep. 1, 2000. In addition to containing other virtis signatures 
and fixes, the new VlRUS_SIGNArURES.DAr file con- 
tains the virus signature and fix for BAD_APPLE.V. 

At step 114, on Jan. 13, 2001, the user from step 104 
finally becomes infected by the BAD^APPLE.DAT virus. 
For example, the user may have borrowed a floppy disk 
infected with BAD_APPli.V from a friend, or may have 
downloaded an application infected with BAD_APPLE.V 
from the Internet. At that very time, at step 116, the program 
Antivirus__Application.exe scans the infected program. 
However, at step 116 the BAD_APPLE. V virus goes unde- 
tected by Anlivirus_Application.exe because the V1RUS_ 
SIGNATURE.DAr file being used is an old one dated Feb. 
1, 2000 and therefore it does not contain the virus signature 
for BAD_APPLE. V. Because it has remained undetected, at 
step U8 on Jan. 19, 2001, the BAD_APPLEV virus 
destroys data on the user^s computer 

The scenario of FIG. 1 is a common manner in which 
desktop systems thai are purportedly "protected" from infec- 
tion nevertheless become infected by new viruses, and 
represents a problem unique to computer antivirus applica- 
tions. Upgrades to antivirus files generally have no effect on 
the user's usage of the desktop system. As represented by the 
scenario of FIG. 1, the need for antivirus upgrades is often 
not realized by a user until it is too late. In another common 
scenario, the virus scanning Antivinis_^Application.exe may 
itself be outdated, having been superseded by a newer and 
superior engine. These outdated engines are often unable to 
detect the new species of vimses, which are constantly 
evolving, such as "stealth" viruses and "polymorphic" 
viruses. 

Unfortunately, even if the user is comparatively sophis- 
ticated in his or her ability to maintain the most recent virus 
scanning engines and virus signature files, preventable virus 
infection may still occur. With the proliferation of users on 
the Internet and World Wide Web, new viruses may be 
spread almost instantaneously upon their introduction. 
Unless the user aflSrmatively checks up on the manufactur- 
er's new releases daily, his or her system may not be 
protected with the most recent virus signature files and 
scanning routines available. 

FIG. 2 illustrates another practical problem that may arise 
regarding antivirus software distribution, this time in the 
context of a typical corporate local area network (LAN). 
FIG. 2 shows a typical local area network 200 comprising a 
network server 202, a communications network 204 such as 
an ETHERNET network, a plurality of user nodes 
206A-206N, and an Internet gateway 208. As known in the 
art, Internet gateway 208 is generally coupled via an appro- 
priate protocol connection to the Internet 210, either through 
an ISP (Internet Service Provider) or a dedicated coimcction 
to the Internet 210. 

In a common scenario associated with the environment of 
FIG. 2, one or more dedicated system administrators 212 
have the task of ensuring that the antivirus software on the 
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local desktop machines 206A-206N stays updated. Thus, in 
the environment of FIG. 2, there are additional layers of 
complexity associated with the updating of desktop antivirus 
software in comparison to the single user scenario. In 

5 particular, the system administrator 212 must (a) maintain an 
awareness of all antivirus software needs of the various user 
nodes 206A-206N, (b) maintain an awareness of aU update 
information relating to the antivirus software, and (c) 
retrieve and install the latest versions and updates for each 

10 user node as soon as those updates become available. While 
modem antivirus updating systems may allow the system 
administrator 212 to manually request and receive updates 
from an antivirus manufacturer FTP or World Wide Web Site 
214 across the Internet 210, as shown in FIG. 2, it is 

15 nevertheless a labor-intensive task to distribute and install 
the antivims updates effectively and rapidly. The antivirus 
update collection and distribution tasks can readily become 
difficult to keep up with, especially where a typical corporate 
network may have a variety of hardware platforms (e.g., 

20 IBM, Macintosh, Sun, Silicon Graphics), and a variety of 
software platforms (e.g., Windows 95, Windows 3.1, DOS, 
UNUX, UNIX, Macintosh), each combination of which 
will have its own unique set of virus scanning engines and 
virus signature files. It is well known in the art, for example, 

25 that viruses are operating system specific, and so the local 
client computers 206A-206N of FIG. 2 will likely require 
several different vims scanning engines and virus signature 
files. Each of these product lines will likely have distinct and 
disparate updating schedules, further frustrating the efforts 

30 of the system administrator 212. 

Accordingly, it would be desirable to provide a method 
and system for providing the most up-to-date virus scanning, 
disinfection, and signature files on a user's computer for 
protecting against the newest viruses. 

It would be further desirable to provide a method and 
system for the antivirus software updating to be simple and 
automatic, such that unsophisticated users are consistently 
provided with the most recent antivirus protection available. 

It would be even further desirable to provide a me±od of 
antivirus software update distribution which allows a higher 
frequency of update releases from antivirus software manu- 
facturers for the most up-to-date, or even up-to-the-hour, 
antivirus protection available. 

45 It would be even further desirable to provide a method of 
automated antivirus software update distribution to the dif- 
ferent types of user nodes of a local corporate network, with 
minimized intervention required by the system administra- 
tor. 

SUMMARY OF THE INVENTION 

These and other objects are achieved by a method and 
system for updating local client computers with antivirus 
software updates from a central antivirus server, the local 

55 client computers and the central antivirus server being 
coupled by a packet-switched network, wherein the antivirus 
software updates are transferred from the central antivirus 
server to a given local client computer using a push tech- 
nology method. The central antivirus server comprises a first 

60 database containing information related to the latest antivi- 
rus software updates contained on each local client 
computer, and uses push technology to transmit updated 
antivirus files if the local client computer's antivirus files are 
out of date. 

65 In another preferred embodiment, the computer network 
is a packet-switdied network, the central antivirus server is 
coupled to the computer network using a packet-switched 
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protocol, and each of the plurality of local client computers FIG. 8 shows a diagram of a computer network according 

is coupled to the computer network using a packet-switched another preferred embodiment; 

protocol. Each client computer intermittently notifies the FIGS. 9A and 9B show a sample directory structure and 

central antivirus server that the client computer is actively directory listings of client computer files according to 
coupled to the computer network. The central antivirus 5 another preferred embodiment; 

server thereupon evaluates whether that client computer has FIG. 10 shows a diagram of a computer network accord- 
been sent the most recent antivirus file updates. If the client ing to another preferred embodiment; 
computer has not been sent the most recent antivirus FIG. U shows a portion of an antivirus update database 
updates, the central antivirus server transmits updated anti- kept according to a preferred embodiment; 
virus files to that client computer over the computer net- lO FIG. 12 shows steps taken by a local area network 
work. administration computer according to a preferred embodi- 

In another preferred embodiment, the computer neUvork ment, 

is a packet-switched network, the central antivirus server is DETAILED DESCRIPTION OF THE 

coupled to the computer network using a packet-switched INVENTION 

protocol, and each of the plurality of local computers is 15 , -.^o. 

coupled to the computer network using a packet-switched "G. 3 shows a computer network 300 according to a 

protocol. Each local computer has a maximum allowable preferred embodiment. Computer network 300 comprises a 

data rate between itself and the computer network. When a =1"=°' comp^tfr 302. For illustrative purposes, and not by 

data transfer rale between the computer network and any ^fV °f hmitation, chenl computer 302 is a Pentnim™-based 
local computer falls below a first data rate less than the 20 client computer running on a Wmdows 95 operaUng system, 

maximum data rate, the excess transport capacity is detected ^^""^ computer 302 has a packet-switched connection to the 

and used to allow transmission of updated virus software ^ using any of a vanety of connection means 

files from the central antivirus server to the local computer. f- V"' e^bodmieat shown m HG. 3 shows, 

- , ... , , ,-. ri 1 for example, the client computer 302 coupled to an Internet 

m another preferred embodiment, a plurality of local ^^^.^ ^^^^.^^^ ^^J^ g^IP (Serial Line Interface 

chent computers are coupled to a local area network anU- p^^^^^^j^ ppp ^p^^^^ ^^^^ connection. 

virus server across a local area network. Tlie local area '^^^^ ^^^.^^^ ^ ^ ,^ 

network anlivmis server is, in turn, coupled to a centra] j^,^^^^^ j^/^,.^^^ .hereby having the 

antivirus server across a packet-switched network. The u*v* * j j ■ • c * j 

, , V . r 1 . . 11 . ability to send and receive information to other nodes on the 

central server uses push technology to automatically trans- t„,„„^. .u. -rr-o^D /n-,o„o™;oc*«„ 

_ , , , , ^ , 10 Internet 304 usmg the TCPAP protocol (Transmission Con- 

mit antivirus software updates to the local area network , , „ * i/t . * o. * i\ 

, ^ f.. 1 n 1 V * trol rrotocol/lnteraet rrotocol). 

antivirus server whenever any of the plurahty of local chent _ ^, , ^ , * - u ^ 

computers contain antivirus software which is out of date. , *^^P''' °^ "° ""^^'f. between 

■me central antivirus seiver addiUonally transmits insiruc- I'"^™^' P'""'^.^' ^06 and client computer 302 is not 

tions to the local area network antivirus server suflicient to " permanent connection. Rather, the dial up connecUon 

allow automatic downloading and installing of the antivirus ^5 exists only when the client computer 302 dials Internet 

updates onto the appropriate local client computer with service provider 304 over the public switched telephone 

• • e, . .^^.v.-o./^f», network usmg a modem. A SUP or PPP connection is then 

rmmmized intervention from a system administrator. .. 

, . . . ... ... established between client computer 302 and Internet ser- 

Advantageously, m antmnis update distribution systems ^.^^ ^^^^ 3^2 ,p 

according to the preferred embodiments described herein, address 305 at that time. ImportanUy. however, the scope of 

there is an opportunity for mmmiized latency between the ^^^^^^ embodiment is not necessarily Umited to 

discovery of a new virus by an antivirus manufacturer and j^^^^^^j connectioas between client computer 302 

the loading of the new protecuve updates onto user desktops. 3^4 ^ 

Because human intervention m the update process is mim- ■ .omiection methods are also within the scope of the 

mized or eliminated altogether at the client desktop antivi- ^^^^^^ embodiment including, but not limited to. a hiU- 

rus manufacturers are free to distribute antivirus updates as dedicated connection between client computer 302 

often as necessao^ to counteract the latest computer viruses 3^ ^^^^ connection between 

without the need to worry about overloading users with ^^^^^ computer 302 and a computer network which assigns 

anUvirus update acUvity. ^^^^^ computer 302 an address for aUowing the transmission 
BRIEF DESCRIPTION OF THE DRAWINGS 50 of information to and from client computer 302. 

HG. 1 shows steps corresponding to one prior art scenario Shown in HG 3 is a central antivirus server 308 having 

of antivirus software distribution and virus infection; » packet-switched connection to Internet 304. Central anti- 

„^ ^ . , , virus server 308 general! y comprises a computer that is 

FIG. 2 shows a computer network and an antivirus server c j- j . r . - y . 

, , , - t. . .1 - capable of sendmg and receiving information over the 

coupled to the Internet according to the pnor art; j^^^^^^ 3^,^^ ^ of storing, relieving, and maintaining 

HG. 3 shows a computer network accordmg to a preferred ^^^^ ^^^^^^^ ^^^^ ^^^^^ appUcations. In 

embodiment; ^^^^ central antivirus server 308 comprises a World 

FIG. 4 shows steps taken by a client computer according ^j^c Web site having a variety of useful antivirus informa- 

to a preferred embodiment; ^^^^ available to subscribers. CenU-al antivirus server 308 is 

FIGS. 5 A and 5B show a sample directory structure and usually associated with an antivirus software manufacturer, 

directory listings of client computer files according to a storing and maintaining versions of anti virus application and 

preferred embodiment; signature files created by that manufacturer. However, the 

FIG. 6 shows steps taken by a cenu-al antivirus server scope of the preferred embodiment is not so limited, and 

according to a preferred embodiment; central antivirus server 308 may also comprise, for example, 

FIG. 7 shows a diagram of a database contained within a 65 a general "clearinghouse" of information on a variety of 

central antivirus server according to a preferred embodi- topics, and may be capable of running non-antivinis-relaied 

ment. applications. 
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Using means not shown in FIG. 3, central antivirus server user logs oflf the Inlemei. Importantly, according to a pre- 
308 is kept up-to-date with the latest releases of antivirus ferred embodiment, the antivirus updating steps 408-414 
files, and in the present example is kept up to date with the carried out in parallel with the steps 418-420, that is, the 
most recent versions of Antivirus _AppUcation.6Xc and antivirus updating steps 408-^14 are carried out in the 
VIRUS_SIGNArURES.DAr. Importantly, according to a s "background" and arc transparent to the user. In some 
preferred embodiment, the file VIRUS_ circumstances there may be slight delays or longer down- 
SIGNATURES.DAT may be updated monthly, weekly, daily ^^^^ .^^s caused by the background downloading of the 
or even hourly as newly unleashed viruses are discovered, ^tntivin^ update files but the operation of the chent corn- 
analyzed, and remedied. Once a vims is remedied, e.g. once P^^^^ ^02 as seen by the user is generally unaffected, 
its signature is determined, the new signature may be 10 FIG 5A shows a printout of the directory structure and 
integrated into the file VIRUS.SIGNATURES.DAT by the "^^'^ ^^tmgs firom a hard dnve of chent computer 302 
antivirus application manufacturer, according to a preferred embodiment. For exemplary 
^ ^ , L 1- . * 1ft'* • purposes, chent computer 302 comprises a hard dnve E:, 

FIG. 4 sho^ steps taken by chent computer 302 id ^^^^ ^^^^^^^ ^ 5A, which is loaded with 

accordance with a preferred embodiment. At step 402 the ^ ^ ^ application files, including 

client computer 302 IS turned on or othenvise activated. At - / j -^i. * j J j 

^itui ,^iiitiuvt,i J * 1^ antivirus software. In accordance with standard Wmdows 

this Ume as known m Uie art antivmis apphcation software organization methods, hard drive 502 comprises a My 

on chent computer 302 .s acuvated, usually automaUcaUy q^^J^^^ ^04 containing user files, a Program 

The antivuns apphcation software scans for viruses on chent ^ ^,-„^t««. cni: \w.«*,^«;«« Jr.^ ^ 

. if 11 . ui CI «t^„ Files directory 506 containing program directones, and a 

computer 302 by comparing all executable fi es,macrx) files, ^^^^^^ containing operating system files. 

w^oTT'^cln^T°.'^^?To'^c^'f^ as con ained m a file 20 ^.^^^ comprises an Antivims Soft- 

VIRUS.SIGNATURES.DAT^ According to a preferred P^.^^^ 

embodmiem, at step 404 a desktop antivirus iipdate agent is ^^^^ j^^^^^^ ^. containing 

started and remains resident m chent computer 302. ^ ^^.^^^^^ j^^^^^^^ Explorer™ Web browser, a Netscape 

As shown at step 406, the desktop antivirus agent on directory 514 containing a Netscape Navigator^" Web 

client computer 302 generally remains dormant until the browser, and other program file directories, 

chent computer 302 is connected to the Internet via a TCP/IP Antivirus Software directory 510 contains a DAT Signa- 

connection and an Interne! interface program such as a Web ^^^^ p^^^ directory 516 and a Program directory 518. The 

browser is acUvated. Step 406 is a detection step, wherein ^^^^^^^ p^^g^^ directory 518 are shown on the right 

the anUvirus update agent queries the operatmg system of 5^ Program directory 518 comprises a 

chent computer 302 for an indicaUon that a TCP/IP connec- executable file Antivirus ^pplication.exe 520 and a 

tion and that a Web browser has been mvoked. ^^^^^^ executable file Antivirus_Update_Agent.exe 522. 

At step 408 the antivirus update agent transmiu a js^ known in the art, at computer startup the program 

sequence of information packets to the central antivirus Antivirus_Application.exe 520 is executed or, alternatively, 

server 308 for notifying the central antivirus server 308 that this program can be manually invoked by the user. One 

a TCP/IP connection and a Web browser have been activated manner in which to cause Antivirus_Apphcation.exe 520 to 

at client computer 302. Among the information transmitted automatically execute at startup is to place a shortcut to this 

from client computer 302 to central antivirus server 308 are program in the "Startup" portion of the Windows 95™ Start 

two items of data used for achieving automated download menu system. 

and updating of antivims files on client computer 302. In According to a preferred embodiment, the program 

particular, (a) the IP address 305 of client computer 302 Antivirus_Update_Agent.exe 522 is the program which is 

(e.g., 205.84.4.137), and (b) a unique user ID (e.g., designed to perform the steps shown generally in FIG. 4. 

"BJONES01234^') are transmitted to central antivurus server program Antivirus_Update^Agent.exe 522 is designed 

308. to begin execution at computer startup, either through place- 
At step 410 antivirus update files are received by client 45 ment of a shortcut to it in the "Startup" portion of the 

computer 302 if any such files are sent by the central Windows 95™ Start menu system, or by other methods 

antivirus server 308. If any such files are received, at step known in the Windows 95™ programming art. The program 

412 the antivirus update files are loaded. If any such files are Antivirus_Update _Agent.exe 522 is designed to interact 

not received, at step 414 the antivirus update agent pauses with the operating system such that the creation of a TCP/IP 
for a period of time. Following step 412 or 414, as the case 50 connection to the Internet and the invocation of a Web 

may be, the decision step 406 is again performed if the chent browser is recognized. Once this connection is recognized, 

computer is still turned on and operating, as reflected by a the program Antivirus__Update_^gent.exe 522 causes 

positive branch at step 416. The loading step shown at FIG. communication with central antivirus server 308 to 

4 may be an automatic loading step, wherein ihe down- commence, wherein antivirus updates are received if the 
loaded files automatically self-execute and insert the 55 current antivirus files arc outdated. 

updated file V1RUS_SIGNATURES.DAT into the appro- FIG. 5B shows a printout of the directory structure of FIG. 

priatc directory of the client computer 302. Optionally, 5a except with contents the directory E:\Program 

according to another preferred embodiment, the downloaded Files\Antivirus SoftwarcVDAT Signature Files 516 being 

file may cause a "flash" notification to be seen by the user, shown in the right hand window. As shown in FIG. 5B, the 

advising the user that new antivirus files have been exemplary virus signature file VIRUS_ 

downloaded, and that the existing files currently being used SIGNATURES.DAF 524 is contained in the DAT Signature 

in the antivirus application are now outdated. The user may piles directory 516. According to a preferred embodiment, it 

then be given the option to (a) allow the downloaded files to js the file VIRUS_SIGNATURES.DAT 524 which contains 

be extracted and installed immediately, or (b) abey the the time-sensitive virus signature information, and which is 
installation process until a later time. ^5 the file which is most often updated by central antivirus 

FIG. 4 ako shows the step 418, whereby the user browses server 308. According to another preferred embodiment, the 

the Internet normally, followed by the step 420, whereby the program file Antivirus_Application.exe 522 is itself 
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updated periodically, as newer scanning approaches are terns to which they apply. Shown in subscriber database 704 

included in the most recent program versions. is a list of all known or registered subscribers along with 

According to another preferred embodiment, there are operating system types and the types and dates of the 

other time-sensiuve antivirus data files such as the files "P^'.^f f °' subscriber. The data shown .n FIG. 
Button Bomb Fighlers.DAT 526 and Ttojan Horse Fighte.^. S 7 is for ilh« raUve purposes; o>h« usefi.1 mforination may 

r^A-T-^-%oj 1 J J* L r^ATc- \ . bc also incIuded in daiabase 7(M). Through the use of 

"fir I ^^^T^^^ database 700, ceatral antivirus server 308 is capable of 

516. TlicseaddiUonal files, which arc designed to ^^^^^^ determining the requirements of each subscriber, and is 

the negative effects of the newest typc^ of harmfol software ^^^^^^^ determining whether a given subscriber is 

unleashed by computer hackers, may be associated into the updated with the latest versions of the required antivirus 
scanning engine through a linked list provided in the file 10 software 

ANnVlRUS.SIGNATURES.DAT. Advantageously, the ^jq g 3^0^^ ^ diagram of a computer network 800 

additional files may themselves be executable in nature, in according to another preferred embodiment. It has been 

which case these entirely new computer protection applica- fo^nd that a mechanism for "pushing" the needed updates to 

tions are automatically and transparently downloaded and client computers can be eflSdenlly configured using a dedi- 

installed. cated push administrator system separate from the central 

FIG. 6 shows steps taken by central antivirus server 308 antivirus server 308. In practice, the push administrator is 

in accordance with a preferred environment. At step 602. separated from the administrators of the cenu-al antivirus 

antivirus server 308 determines whether updated antivirus server company both physically and organizaUonally, allow- 

files from anUvirus software developers or engineers is ing the antivirus software developer to focus on the antivirus 
available. If such an update is avaUable, the updated anti- ^ aspects of the updates and aUowiog the push admmistrator 

virus files are loaded at step 604. For purposes of fllustration, ^^^^ P^*^ d/jj^^^^^ mechanism, 

and not by way of limitaUon, the updated antivirus files are ^ Computer network 800 comprises a client computer 802, 

stored in a self-extracting archive file called UPDAIE^ ^^^^^ f 

S1GNATURES.EXE. The self-extracting archive file 304 and 306, respective y, of HG. 3. Computer network 8^ 
TTnr^ATT- oti-'VTATTir.T-o nvi- J * _* ' 25 further comprises a central antivirus server 808 coupled to 
UPDArE_SlGNArURKJiXE composes a data porUon i„,ernet 804, and a piKh administralioo system 810 also 
and a program portion. Whea this is executed at the chent ^ ^^ ^^^^ embodiment of HG. 8, the 
computer 302, as descnbed mfra. the program portion ^^^^^ antivirus server 808 serves a more Umiled function 
extracts an updated antivirus file ANTIV1RUS_ ,han the central antivirus server 308 of FIG. 3. In particular, 
SlGNATURES-DATfrom the data porUon and places it mto ^^^^ antivirus server 808 has limited interaction vnlh 
the appropriate directory of chent computer 302. Although computer 802. and instead transfers updated antivirus 
in the present example only a smgle data file is stored m the ^^ ^^ administration system 810. It is the push 
data portion of UPDArE_SIGNArURES.EXE. mulUple administration system 810 that interacts with chent corn- 
files may be delivered by the self-extractmg archive file in a manner similar to the steps 606-614 of FIG. 
UPDArE_SIGNArURES.EXE, including executable pro- 6, but may optionally interact with cheat computer 802 with 
6^^°^^' regard to other applications such as technical news updates 

FIG. 6 then shows step 606, wherein central antivirus or application updates. Advantageously, according to the 

server 308 receives a notification that the user of computer preferred embodiment, the antivirus developers or engineers 

302 is connected to the Internet and has an active browser are permitted to focus on the antivirus aspects of the updates, 

application running. Central antivirus server 308 is provided and the push administration system provider may focus on 

with that user's identification, e.g. BJONES001234, and his optimally delivering the information to the client desktop 

or her associated IP address. At step 608, central antivirus using push technology. Additionally, the user of client 

server 308 accesses a subscriber database containing a list of computer 802 is attracted to the push administration system 

all known or registered subscribers. At step 610, using a because of the variety of usefiil and/or entertaining infor- 

database lookup procedure, central antivirus server 308 mation which may be obtained. Together, these elements 

determines whether that user has been sent the most recently provide for faster and more efficient distribution and deliv- 

updated antivirus files. If the user has already been sent the ery of the latest antivirus software updates to the client 

latest version of the virus signature files, no action is taken computer 802 as compared to prior art antivirus distribution 

for that user, wherein steps 602-606 are repeated. systems. 

However, if it is determined that the user of client 50 In general, the push administration system 810 pushes 

computer 302 has not received the latest versions of the virus channelized information to the chent desktop 802 according 

signature files, new updates are transmitted at step 612. At to a subscription plan for the user of client computer 802. 

step 614, central antivirus server 308 then updates the Antivirus update files arc delivered on one of the subscriber 

subscriber database to reflect that user BJONES001234 has channels. 

received the updated antivirus file. Importantly, it is to be 55 piG. 9 A shows a printout of the directory structure from 

appreciated that steps 606-614 are carried out for each of the a hard drive of client computer 802 according to the embodi- 

plurality of subscribers such as BJONES001234. Generally mem of FIG. 8, and in particular shows file listings of an 

speaking, there may be many such subscribers. Central Antivirus Software directory 902 on client computer 802. 

antivirus server must therefore be equipped with sufficient Similar to the embodiment of FIG, 3, Antivirus Software 

hardware and daiabase capability to handle the resulting directory 902 comprises a DAT Signature Files directory 

traffic. 904 and a Program directory 906. However, as shown in (he 

FIG. 7 shows a diagram of a database 700 contained directory listing of FIG. 9B, client computer 802 also 

within central antivirus server 308. Database 700 comprises comprises a Push Update Agent directory 908. Push Update 

an antivirus database 702 and a subscriber database 704 as Agent directory 908 contains a program directory 910 and a 
shown in FIG. 7. Shown in antivirus daiabase 702 are virus 65 data directory 912 that are dedicated for push update appli- 

sigtiature files and executable program files which represent cations and for interacting with push administration system 

the latest available versions, along with the operating sys- 810. 
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FIG. 9B also shows a priatout of (he contents of the ent to both the system administrator 1022 and to the users of 
program directory 910. Program directory 910 comprises a the client computers. Advantageously, the most recent anti- 
program Push_^AgcaLcxe 914 designed to interact with virus software is distributed to the client computers on 
push administration system 810 and supply updated infor- corporate network 1006 without the need for afSraiative 
mation to a plurality of subscriber chanoeb when the user of s action by the system administrator 1022. This can advanta- 
cliem computer 802 is connected to the Internet 804 and has geously lead to increased efSciency, lower costs, and 
activated a web browser. FIG. 9B shows channel directories reduced human errors, while at the same time increasing 
916 contained within the data directory 912. Push_ g^gm computer integrity and network efficiency. 
Agent.exe program 914 operates in the backgroui^^^^^^^ ^ ^^^^^^^ 1100 which is kept 
rn^ner which ts transparent to the use, of cl«nt compiHec J ^ 
802, a^d loads update .nformaUon mto ch nne drredortes J P ^ jP, ^^^^^ 
according to the user s subscnption preferences^ ^^.^^ ^^^.^ ^^^^ ^ responsible. 

According to a preferred embochmcnt. one of the user s ^j^^^ information 1104 relating to their hardware 

subscripUon preferences IS an antivirus update chamielasso- ^^^f^^ ^^^^^^^ 

ciated with the AnUvirus_^plication.ex6 program manu- ^^^^^ comprises, for each client computer in the corporate 

facturer. Support apphcations for configuring the user sub- ^^^^^^^ ^^^^ information 1106 related to the latest anUvi- 

scription preferences may be included in the program software update installation for each cUent computer, 

directory 910, as shown in FIG. 9A. When the user of chent „^ ^ i u . imn 

computer 802 has appropriately subscribed to an anUvirus "G-. ^ ^"ows steps taken by service computer 1020 

update channel, update files for that channel are placed, for ^ »^°fd^6. ^ preferred embodiment^ Service computer 

example, in the channel subdirectory "ChanS" shown in 1020, which usuaUy has a dedicated or full-tune connectiori 

FIG. 9B. The Push_Agent.exe program 914 and supporting »° 'n'""*' f'Cf':'" mfoimation fi^m central 

applications keep track of the subscriber channels associated ^^1^^^ ^'^f',^^^ according to a ptish technology 

^ih the channel directories 916. by periodically tratismitung a packet of m ormaUon 

— _ . f , „^t»,^ri, innn to central antivirus server 1002. In particular, at step 1202, 

HG. 10 shows a diagram of 25 ^-^^^ , 3^^^, j^.t ^.^p^, p,,kets as r^uircd. 

according to another preferred service compuTer 1020 (a) advises the central antivirus 

work 1000 comprises a centra antivirus server 1002 a push ^^^^^ ^^^^ P^^^ ^^^.^^ ^^^^0 is attached to the 

adminLStration system l^^^ f Internet 1(M)4 and a cor- ^^^.^^ ^^^^ ^^,^2 of the 

porate computer network 1006. Although the scope 0^ of computers and operaUng systems for which service 

preferred embodiment may encompass networks of any size, 30 ^^^^ respoiible, and (c) advises the central 

it IS most advantageously applied t^/^g^/^^^tw antivirus server 1002 of the latest antivirus software updates 

works comprismg many chent computers. Accordingly, the ^^.^^^ 

corporate network shown m FIG. 10 comprises a large \ . f 

number of nodes, including: a first set of cUent computers At step 1204, service computer 1020 receives anUvirus 

1008, which may correspond, for example, to the marketing 35 ^P^^^^*' ^ ^^q^^^d, from the central antivirus server 

department of a company; a local server 1010 coupled to the 1002. At step 1206, the service computer automaticaUy 

cUcnt computcis 1008; a second set of cHent computers distributes the antivirus updates, if any are received, to the 

1012 which may correspond, for example, to the finance appropriate client computers. Advantageously, an automated 

department of a company; a local server 1014 coupled to the network installation scripting procedure, such as ISEAM- 

client computers 1012; a thirxi set of client computers 1016 40 ^™ ^^"^ ^""^^^ Associates, is used to distribute and 

which may correspond, for example, to the engineering instaU the antivirus updates. This allows for a mmimum of 

department of a company; a local server 1018 coupled to the intervention, if any, by system admimstrator 1022, thus 

client computers 1016; a gateway computer 1019 for linking allowing for increased eflSciency and enhanced anUvirus 

corporate network 1006 to the Internet 1004, etc. The protection of the a)rporate network 1006 with the most up 

computers 1008-1019 are coupled as shown in HG. 10, but 45 *° ^^^^ antivirus information available from central antivirus 

may generally be arranged in any of a variety of corporate server 1002. If no updates are sent, sendee computer 1020 

computer network structures. Pauses at step 1208, and then steps 1202 to U04 are 

As with most typical corporate networks, corporate net- repeated, 
work 1006 comprises a service computer 1020 coupled as It is often the case that only a portion of the client 
shown in FIG. 10. Generally speaking, a service computer is 50 computers of corporate network 1006 require updates from 
a computer dedicated at least in part to assisting in servicing the central antivirus server. For example, overnight there 
the various hardware and software apphcations being used may have been a new release of a signature file update for 
in corporate computer network 1006. Such computers arc UNIX workstations onto central antivirus server 1002, but 
typically run by system administrators, help desk no new Windows 95 or MAC OSS releases. In this case, the 
administrators, or designated power users, and are referred 55 service computer 1020 would only receive the UNIX 
to by various names such as help desks, administration updates from central antivirus server 1002, and the auto- 
computers, or other names. Shown in FIG. 10 is a system mated installation procedure would distribute and install the 
administrator 1022 who operates the service computer 1020 updates only onto the UNIX dienl computers, 
and generally configures and maintains corporate network According to a preferred embodiment, central antivirus 
1006 and its hardware and software apphcations. 60 server 1002 maintains a database of information which is 

According to a preferred embodiment, service computer complementary to the information contained on service 

1020 is loaded with a group update agent software package computer 1020. The corporate customer owning the corpo- 

capable of (a) automatically receiving antivirus software rate network 1006 generally subscribes to the central anti- 

updates for a variety of chent computers on the corporate virus server operator for a fee, which may be a per-updatc 

network 1006 accordmg to a push technology method, and 65 fee or a fixed time period fee. In an altemative embodiment, 

(b) automaticaUy distributing the antivirus updates to the the central antivirus server 1002 maintains a complete 

respective chent computers, in a manner which is iranspar- database for the corporate network 1006, including all of the 



03/08/2004, EAST Version: 1.4.1 



us 6,269,456 Bl 

13 14 

information which was kept on the service computer 1020 as computer to communicate over the Internet with said central 

shown in FIG. 11. In this case, sendee computer 1020 would antivirus server when said client computer is connected to 

only transmit limited-information "pings" to central antivi- the Internet, said push agent software being capable of 

rus server 1002 according to a push technology method, and instructing said computer to receive the updated antivirus 
would send specific client computer information only when 5 file firom said central antivirus server, 

changes have occurred in corporate network 1006. ^ ^h^ method of claim 2, further comprising the step of 

, , - , jj .j eslablishmg a connection between the chent computer to Ihe 

Accordmg to another preferred embodiment, a dedicated ^^^^^^^^^ ^^^^^-^ ^^^^^ software receives the 

push admmistration system 1003 is used for distnbuUng antivirus update file in a background procedure which is 

antivirus updates to service computer 1020 according to a substantiaUy transparent to a user of the client computer, 
push technology method. The steps performed by push 10 4. The method of claim 3, wherein said updated antivirus 

administration system 1003 of FIG. 10 arc similar in nature jg a self-extracting archive file, and wherein said push 

to the steps performed by push administration server 810 of agent software is capable of executing said updated antivirus 

FIG. 8, with added information being maintained for dis- fife automatically upon receipt, whereby no affirmative user 

tributing multiple sets of antivirus information to service commands arc required during a time period between said 
computer 1020 according to the database 1100. 15 estabfishment of said Internet connection and a completed 

While preferred embodiments have been described, these instaUation of the updated antivirus file, 

descriptions are merely illustrative and arc not intended to 5 The method of claim 4 further comprising the step of 

Umit the scope of the present invention. Hius, although the [notifying the user that said installaUon of said updated 

embodiments described above were in the context of a installation file ^ complete. 

7 . . . • . u 20 6. A method for providmg an updated antivims file to a 

central antmms server using "push techno bgy, where □ ^^^^^ J ^ 3,^^,,, 

affirmative quencs are sent from resident antivirus update ^^^^^ Computer, comprising the steps of: 

agents on local cUent computers before anUyir^ update ^ ^^^.^.^^ ^ ^^^^^^ ^^^.^^^ 

packages are sent, those those skilled in the art will recog- server- 

T ' ^r' f 1"^°^ and Structures are readily ^ t.^^s^i^^ng the updated antivirus file from said central 

adaptable for broader apphcalions. As an example, within antivirus server to a push administration computer 

the scope of the preferred embodunents would be a local connected to the Internet, said push administration 

antivirus agent which engages the central antivirus server computer being capable of transmitting antivirus 

even when the local user is not browsing the Internet. In this update files to said client computer using push 

system, if the browser is not being used and the system is not technology, said push administration computer also 

otherwise busy (e.g. in the middle of the night), the local ^^^^^ adapted for transmitting non-antivims file infor- 

antivirus update agent causes the browser to connect to the tnation to the cUent computer; 

Internet, whereby the push channel to the central antivirus retrieving, from an antivims update database associated 

server is then automatically invoked. ^.^^^ ^^^t^^j antivirus server and the push 

As another example, while the preferred embodiments administration computer, information about a current 
have been described in terms of a single central antivirus antivirus file installed on the client computer; and 
server, within the scope of the preferred embodiments are transferring the updated antivirus file from said push 
multiple such servers for seivmg different users or types of administration computer to the client computer over the 
users, and these mulUple anUvirus servers may be arranged j^^^^^j ^^^^ ^^^^ technology, if it is determined from 
in a hierarchical fashion. Within the scope of such a pre- ^j^^ retrieved information that the updated antivirus file 
ferred embodiment is a system wherein each local area supersedes the current antivirus file, 
network antivirus server simply acts as a lowest level of an 7 j^^^j^^^j ^j^-^j ^ ^^^^j. comprising the step of 
antivirus server hierarchy. Also with the scope of such a j^staUing push agent software onto the client computer, said 
preferred embodiment is a system wherem a plurahty of ^^^^^ software being capable of instructing said chent 
servers in the antivu^ server hierarchy are coupled by computer to communicate over the Internet with said push 
means of private network or an aUernative global network administration server when said client computer is con- 
other than the Internet. Thus, while preferred embodunents ^^^^^^ Internet, said push agent software being 
have been described, these descriptions are merely capable of instructing said computer to receive the updated 
illustrative, and the scope of the present mvention is limited antivirus file from said central antivirus server across an 
only by the appended claims. antivirus update subscriber channel. 

What IS claimed is: . . 8, The method of claim 7, ftirther comprising the step of 

1. A method for providing an updated anUvims file to a estabUshing a connection between the client computer to the 
client computer, comprLsing the steps of: Internet, wherein said push agent software receives the 

storing the updated antivirus file on a central antivims antivirus update file in a background procedure which is 
server; 55 substantially transparent to a user of the client computer. 

retrieving, from an antivirus update database associated 9. The method of claim 8, wherein said updated antivirus 

with the central antivirus server, information about a file is a self-extracting archive file, and wherein said push 

current antivirus file installed on the client computer; agcntsoftware is capable of executing said updated antivirus 

and file automatically upon receipt, whereby no aflSrmative user 

transferring the updated antivirus file from said central 60 commands are required during a time period between said 

antivirus server to the client computer over the Internet establishment of said Intemet connection and a completed 

using push technology, if it is determined from the installation of the updated antivirus file, 

retrieved information that the updated antivirus file 10. The method of claim 9, further comprising the step of 

supersedes the current antivirus file. notifying the user that said installation of said updated 

2. The method of claim 1, further comprising the step of 65 installation file is complete. 

installing push agent software onto the client computer, said U. The method of claim 10, further comprising the steps 

push agent software being capable of instructing said chent of establishing a news-based subscriber channel between 
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said push adminislration computer and the clienl computer, 
thereby increasing the likelihood that the user will likewise 
establish an antivirus update channel between said push 
administration computer and the clienl computer. 

12. A method for providing updated antivirus files to a 
plurality of client computers on a local area network, the 
client computers being supported by a common service 
computer on the local area network, the common service 
computer being operated by a system administrator, the 
method for providing allowing for minimal aflBrmativc 
involvement by the system administrator in updating anti- 
virus files on the plurality of client computers, the method 
for providing comprising the steps of: 

storing the updated antivirus files on a central antivirus 

server; j5 
transmitting the updated antivirus files fi-om said central 

antivirus server to a push administration computer 

connected to the Internet; 
transmitting the updated antivirus files &om said push 

administration computer to said service computer using 20 

push technology; and 
obtaining, from a network antivirus database, information 

about current antivirus files installed on each client 

computer; and 

executing an automatic installation script at said service 25 
computer for automatically installing updated antivirus 
information on said plurality of client computers across 
the local area network, if it is determined from the 
retrieved information that the updated antivims files 
supersede the current antivirus files on each corre- 
sponding client computer. 

13. The method of claim 12, wherein the network anti- 
virus database comprises: 

an identifier for each of the plurality of client computers; 

a first field for storing an identifier of the operating system 
used by each of the plurality of client computers; 

a second field for storing the identity of the last updated 
antivirus file received by each of said plurality of 
computers; and 

wherein said service computer transmits information from 
said network antivirus database to said push adminis- 
tration computer prior to receiving the updated antivi- 
rus files. 

14. The method of claim 12, wherein the network anti- 
virus database comprises: 

an identifier for the local area network; 
an identifier for each of the plurality of client computers 

on the local area network; 
a first field for storing an identifier of the operating system 

used by each of the plurality of client computers on the 

local area network; 
a second field for storing the identity of the last updated 

antivirus file received by each of said pluraUty of 

computers on the local area network. 

15. In a computer network comprising a wide area packet 
switched network, a first computer coupled to the packet 
switched network, and a second computer intermittently 
coupled to the packet-switched network, a method for pro- 
viding an updated antivirus file from the first computer to the 50 
second computer in a manner which is transparent to a user 
of the second computer, comprising the steps of: 

at the first computer, executing a first program for detect- 
ing when said second computer is connected to said 
packet switched network; 

when the second computer is connected to the packet- 
switched network, transmitting a first signal from the 



second computer to the first computer indicating that 
the second computer is connected to the packet- 
switched network- 
retrieving at the first computer, from an antivirus update 
database, information about a current antivirus file 
installed on the second computer to determine whether 
said second computer has received the most recently 
updated antivirus file; and 
if, based on said retrieved information, said second com- 
puter has not received the most recently updated anti- 
virus file, transmitting said most recently updated anti- 
virus file from the first computer to the second 
computer across the packet switched network. 

16. The method of claim 15, further comprising the step 
of, subsequent to said step of transmitting said most recently 
updated antivirus file, updating said antivirus update data- 
base with the identity of said most recently updated antivirus 
file transmitted to the second computer. 

17. A method for providing antivirus files to a plurality of 
client computers connected to a first network, the cUent 
computers being connected to a common service computer 
also connected to said first network, the method for provid- 
ing comprising: 

installing a first set of antivirus files on each of said 

plurality of client computers; 
storing a second set of antivirus files on a central antivirus 
server, at least one of said second set of antivirus files 
comprising an updated version of at least one of said 
antivirus files in said first set; 
transmitting the second set of antivirus files from said 
central antivirus server to a push administration com- 
puter connected to the internet; 
maintaining in an antivirus update database associated 
with one of the central antivirus server and the push 
administration computer, information reflective of 
which antivirus files are to be updated on each of said 
plurality of client computers, and when each of said 
antivirus files on each of the computers was last 
updated; 

transmitting the second set of antivirus files from said 
push administration computer to said service computer 
using push technology; and 
executing an installation script at said service computer to 
automatically install said second set of antivirus files on 
said plurality of client computers across said first 
network. 

18. The method of claim 17, comprising the step of 
transmitting said first set of antivirus files from said push 
administration computer to said common service computer, 
prior to installing said first set of antivirus files on said 
plurality of client computers. 

50 19. The method of claim 17, wherein the second set of 
antivirus files is transmitted to said common service com- 
puter in accordance with a subscription plan associated with 
said plurality of client computers. 

20. A method for providing antivirus files to a client 
55 computer connected to the internet via an internet service 
provider, the method for providing comprising: 

installing a first set of antivirus files on said client 
computer; 

storing a second set of antivirus files on a central antivirus 
server, at least one of said second set of antivirus files 
comprising an updated version of at least one of said 
antivirus files in said first set; 
transmitting the second set of antivirus files from said 
central antivirus server to a ptish administration com- 
puter connected to the internet; 
maintaining in an antivirus update database associated 
with one of the cenual antivirus server and the ptish 
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administration computer, information reflective of 

which antivirus files are to be updated on the client 

computer, and when each of said antivirus files on said 

client computer was last updated; 
trananitting the second set of antivirtis files from said s 

push administration computer to said client computer 

using push technology; and 
automatically installing said second set of antivirus files 

on said client computer. 

21. The method of claim 20, wherein the second set of lO 
antivirus files is transmitted to said client computer in 
accordance with a subscription plan associated with said 
client computer. 

22, A method for providing antivirus files to a client 
computer connected to the internet, the method comprising: 15 

installing a first set of antivirus files on said client 
computer; 

storing a second set of antivirus files on a central antivirus 
server, at least one of said second set of antivirus files 
comprising an updated version of at least one of said ^ 
antivirus files in said first set; 

transmitting the second set of antivirus files from said 
central antivirus server to a ptish administration com- 
puter connected to the internet; 
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maintaining in an antivirus update database not associated 
with the client computer, information reflective of 
which antivirus files are to be updated on the client 
computer, and when each of said antivirus files on said 
client computer was last updated; 

transmitting the second set of antivirus files from said 
push administration computer to said client computer 
using push technology; and 

automatically installing said second set of antivirus files 
on said client computer if, based on information 
retrieved from said antivirus update database, the sec- 
ond set of antivirus files supersedes said first set of 
antivirus files. 

23. The method of claim 22, wherein the antivirus update 
database is associated with the push administration com- 
puter. 

24. The method of claim 22, wherein the antivirus update 
database is associated with the central antivirus server. 

25. The method of claim 22, wherein the antivirus update 
database is associated with a service computer connected to 
the client computer. 

* * * * * 
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